IEC 62443 · NIST SP 800-82 · Purdue Model

OT Security Compliance Assessment Malaysia — IEC 62443 & NIST 800-82

Specialist OT cybersecurity compliance assessment for Malaysian manufacturing, utilities, oil & gas and water. Passive methodology — we score the maturity without scanning your PLCs.

Get a Scope Talk to an Expert

Why OT compliance is different from IT

Operational Technology cybersecurity is not IT cybersecurity translated to factory floors. The priority order is inverted: in IT, confidentiality typically leads, integrity follows, availability third. In OT, safety leads, availability follows, integrity third, confidentiality last. A control loop on a turbine, a fired furnace, a water-treatment chlorination process, a moving conveyor — these have direct human-safety and environmental implications that data-confidentiality concerns simply do not.

That priority inversion drives every methodology choice. Patching cycles are measured in years not weeks because validation of a control-loop change requires shutdown windows that cost the business millions. Vendor warranty terms frequently prohibit modifications. Components in service today were specified in the 2000s and are operating exactly as designed — they were never built with cybersecurity threats in mind because the air gap was assumed.

The air gap is now a fiction in most environments. IT/OT convergence, remote vendor support, MES integration, cloud-hosted historian — all legitimate business requirements that have systematically connected OT to enterprise networks and beyond. The assessment exists to measure where you stand, what controls are in place, and what the realistic improvement path looks like given the operational constraints.

Framework coverage

IEC 62443

The OT cybersecurity gold standard. Series structure: 62443-2-1 (security programme), 62443-3-2 (zone-and-conduit risk assessment), 62443-3-3 (system security requirements and security levels SL1-4), 62443-4-1/4-2 (vendor and component requirements).

NIST SP 800-82

U.S. NIST guidance on Industrial Control Systems security. Maps cleanly to NIST CSF 2.0 functions. Often used as the management overlay above IEC 62443 technical controls.

NERC CIP

North American Electric Reliability Corporation Critical Infrastructure Protection — the standard for utilities. Relevant to Malaysian power generation operators with U.S. ownership or U.S. supply chain exposure.

ISA/IEC 61511

Functional safety of safety-instrumented systems. Where SIS and BPCS share network infrastructure, cybersecurity assessment of the shared layer is mandatory.

Purdue Enterprise Reference Architecture

We assess maturity at every Purdue level. The architecture is decades old but remains the dominant mental model — and the boundary points between levels are exactly where most attacks pivot.

Level 5

Enterprise network

Corporate IT, business systems, internet-facing services. The IT/OT boundary lives between L4 and L3.5 DMZ.

Level 4

Site business planning

ERP, MES gateway, plant scheduling. Often where the cleanest IT/OT segmentation breaks down.

Level 3.5

DMZ

The buffer between IT and OT. Historian replicas, jump hosts, vendor-access gateways. Properly designed, this is where attacks are stopped.

Level 3

Site operations

Engineering workstations, historians, MES, asset-management servers. Highest-value compromise target inside OT.

Level 2

Supervisory control

HMIs, SCADA servers, alarm management. Where operators see and act on the process.

Level 1

Basic control

PLCs, RTUs, intelligent electronic devices. The control loop itself.

Level 0

Process

Sensors, actuators, the physical process. Where cyber becomes physical.

Industry verticals served

• Discrete & process manufacturing: automotive, electronics, semiconductor, food & beverage, pharma
• Utilities: power generation, transmission and distribution (NERC CIP overlay where applicable)
• Oil & gas: upstream, midstream, downstream — IEC 62443 + IEC 61511 where SIS in scope
• Water & wastewater treatment: NCII-relevant under the Cyber Security Act 2024
• Transportation: rail, ports, logistics terminals with extensive SCADA
• Building automation: hyperscale data centres, hospitals, smart-building campuses

Methodology — passive, safe, evidence-led

Scoping & documentation review

Joint scoping with operations, engineering, IT and security leadership. Document review: P&ID, network diagrams, asset registers, change-management records, vendor support contracts, prior audit reports.

Passive network discovery

Tap-based packet capture at strategic points. No active scanning of L1/L0. Asset inventory built passively. Communication-flow map derived from observed traffic, not assumed.

Interviews & engineering walk-through

Structured interviews with control engineers, operators, vendor representatives, IT/OT integration leads. On-site walk-through of control rooms, MCC rooms, RIO cabinets.

Zone & conduit modelling

IEC 62443-3-2 methodology. Zones drawn around assets sharing common security requirements. Conduits documented between zones. Risk scored per zone, security level (SL) target assigned.

Maturity scoring & roadmap

Maturity scored per IEC 62443 zone and per NIST SP 800-82 control family. Remediation roadmap explicitly accommodates legacy components via compensating controls. Board-grade summary delivered.

Output

• Asset inventory derived from passive observation (often the first authoritative inventory the customer has had)
• Zone-and-conduit diagram per IEC 62443-3-2
• Maturity scoring per zone against IEC 62443-3-3 security levels (SL1-4)
• NIST SP 800-82 control-family maturity overlay
• Prioritised remediation roadmap with compensating-control options for legacy components
• Executive summary mapped to NCII codes of practice progress
• Related: OT Security overview, Manufacturing, Energy

Frequently asked questions

Will testing crash our PLC?

No. We deliberately do not actively scan production OT environments — the risk of a legacy PLC tripping under unexpected protocol traffic is real and well-documented. Our methodology is passive: tap-based network capture, document review, configuration export from engineering workstations, interview-based validation, and Purdue zone-conduit modelling. Active scanning, when warranted, is performed only on offline test rigs or during planned maintenance windows with full operator sign-off and rollback plans.

IEC 62443 — which sub-standard?

IEC 62443 is a series, not a single document. Most assessments anchor on IEC 62443-2-1 (security programme requirements for the asset owner), IEC 62443-3-2 (security risk assessment for system design — the zone-and-conduit methodology), and IEC 62443-3-3 (system security requirements and security levels). For component vendors, IEC 62443-4-1 (secure product development) and 4-2 (component security requirements) apply. We score against the parts of the series relevant to your role (asset owner, integrator, or vendor) and your industry.

Does NACSA mandate OT security in Malaysia?

The Cyber Security Act 2024 designates National Critical Information Infrastructure (NCII) sectors that include energy, water, transportation and selected manufacturing — most of which run extensive OT environments. NACSA codes of practice for these sectors are being developed and published progressively. While IEC 62443 is not yet explicitly mandated by NACSA, it is the most widely-recognised OT security standard internationally and the natural target for any NCII operator preparing for codes of practice. See our Cybersecurity Act readiness page for the broader CSA picture.

How long does an OT assessment take?

Typical engagements run 4-8 weeks depending on the number of sites, the complexity of the OT environment, and the breadth of the IEC 62443 scope. A single-site discrete manufacturing assessment runs 4 weeks. A multi-site utility with cross-site SCADA, distinct generation and distribution domains, and IT/OT integration complexity can run 8-12 weeks plus on-site travel time.

What if our OT is decade-old and can't be patched?

Common — and the IEC 62443 framework is built to handle it. Where a component cannot be patched (vendor warranty, certification re-validation cost, control-loop sensitivity), the methodology shifts to compensating controls at the zone and conduit boundary: stronger network segmentation, application allow-listing on adjacent engineering workstations, monitored conduit traffic, and disciplined change management. The assessment delivers a roadmap that explicitly accommodates legacy components rather than demanding rip-and-replace.

Ready to assess without disrupting production?

Scoping calls take 30 minutes. Single-site engagements complete in 4 weeks. Multi-site programmes scope by site.

Get a Scope

Why OT compliance is different from IT

Framework coverage

IEC 62443

NIST SP 800-82

U.S. NIST guidance on Industrial Control Systems security. Maps cleanly to NIST CSF 2.0 functions. Often used as the management overlay above IEC 62443 technical controls.

NERC CIP

ISA/IEC 61511

Functional safety of safety-instrumented systems. Where SIS and BPCS share network infrastructure, cybersecurity assessment of the shared layer is mandatory.

Purdue Enterprise Reference Architecture

We assess maturity at every Purdue level. The architecture is decades old but remains the dominant mental model — and the boundary points between levels are exactly where most attacks pivot.

Level 5

Enterprise network

Corporate IT, business systems, internet-facing services. The IT/OT boundary lives between L4 and L3.5 DMZ.

Level 4

Site business planning

ERP, MES gateway, plant scheduling. Often where the cleanest IT/OT segmentation breaks down.

Level 3.5

DMZ

The buffer between IT and OT. Historian replicas, jump hosts, vendor-access gateways. Properly designed, this is where attacks are stopped.

Level 3

Site operations

Engineering workstations, historians, MES, asset-management servers. Highest-value compromise target inside OT.

Level 2

Supervisory control

HMIs, SCADA servers, alarm management. Where operators see and act on the process.

Level 1

Basic control

PLCs, RTUs, intelligent electronic devices. The control loop itself.

Level 0

Process

Sensors, actuators, the physical process. Where cyber becomes physical.

Industry verticals served

• Discrete & process manufacturing: automotive, electronics, semiconductor, food & beverage, pharma

• Utilities: power generation, transmission and distribution (NERC CIP overlay where applicable)

• Oil & gas: upstream, midstream, downstream — IEC 62443 + IEC 61511 where SIS in scope

• Water & wastewater treatment: NCII-relevant under the Cyber Security Act 2024

• Transportation: rail, ports, logistics terminals with extensive SCADA

• Building automation: hyperscale data centres, hospitals, smart-building campuses

Methodology — passive, safe, evidence-led

Scoping & documentation review

Passive network discovery

Tap-based packet capture at strategic points. No active scanning of L1/L0. Asset inventory built passively. Communication-flow map derived from observed traffic, not assumed.

Interviews & engineering walk-through

Structured interviews with control engineers, operators, vendor representatives, IT/OT integration leads. On-site walk-through of control rooms, MCC rooms, RIO cabinets.

Zone & conduit modelling

IEC 62443-3-2 methodology. Zones drawn around assets sharing common security requirements. Conduits documented between zones. Risk scored per zone, security level (SL) target assigned.

Maturity scoring & roadmap

Maturity scored per IEC 62443 zone and per NIST SP 800-82 control family. Remediation roadmap explicitly accommodates legacy components via compensating controls. Board-grade summary delivered.

Output

• Asset inventory derived from passive observation (often the first authoritative inventory the customer has had)

• Zone-and-conduit diagram per IEC 62443-3-2

• Maturity scoring per zone against IEC 62443-3-3 security levels (SL1-4)

• NIST SP 800-82 control-family maturity overlay

• Prioritised remediation roadmap with compensating-control options for legacy components